Download Security Issue

Download Security Issue

The main site is public and the other 2 require authentication. I have noticed that if I have the full direct download link (/content/download/etc..) from a file on site1 or site2 that I can access it from the www.mydomain.com WITHOUT logging in.

What kind of authentication is used for other 2 sites? Standard eZ Publish auth mechanism, htpasswd or something else?

Did you specify correct permissions for subtrees which are not supposed to be read by public? This involves adding the subtree that requires authentication to a section other than standard, and making sure that authenticated users can read the new section.